AMENDMENTS TO THE CLAIMS 



This listing of claims will replace all prior versions, and listings, of claims in the 
application. 

1. (Currently Amended) A method for < , .• \ a network , . ^ \o ^ 

first, machine ,,anda,,seTOnd, machine , comprising: 

determining suspicious network activity on the network; 



sessio ] between the first machine and a monitoring device; 

MferQSta^ n g 

v N NN + " -vteket- a, data, access,request f rom a-the.first machine-fef est^fesNr&h-a 

stj i g tl ie data access request; 

sending a test to the first machine, the test having at least one characteristic 
making the test resistant to automatic answering of the test; m4 

c c v N ^ N \ ^ oc< <o establishing w ^ ^- vV o 
communication session between ^h^-flrst and- the second ma€hin0smachin.e..and 
\ ig s ef a val^egpoftse 4S received lo the test:-, and 

2. (Currently Amended) The method of claim l ^.wherej.nthe.estabjlsh^ 

from th* s • , : ■■ • . ■■■[.. responding to the initial packet from the f i rst 
ma&iwe-by sending N VN N \, a response packet to the first machine 
encoding a connection state for establishing the communication session. 



activity is % ishinq a 
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3. (Original) The method of claim 2 wherein the initial packet is a SYN packet in 
accord with the TCP protocol and the response packet is a SYN ACK packet in accord 
with the TCP protocol. 



4. (Currently Amended) The method of claim 3, wherein the SYN ACK packet 
comprises a number encoding a first address for the first machine on the network, and a 
second address for the second machine on the network. 

5. (Currently Amended) The method of claim 2, wherein 

packet by sending the response packet comprises: 

generating a number t o pn ; ; i.hn e-:p;o; packet by encrypting -U->e 

for the first machine on the network, a second address for the second machine on the 
network, and a secret unknown to the first machine , the number to facilitate v- <. 

* I £!L$3i an acknowledgement packet from the first machine responsive 
to the response packet. 

6. (Currently Amended) The method of claim [[1]]5, further comprising: 

receiving m-the acknowledgement packet from the first machine responsive to 

the enervated response packet; 

decoding a tentative connection state information from the acknowledgement 
packet; and 

determining if the tentative connection state information is valid. 

7. (Original) The method of claim 1 , further comprising: 
preparing a web page embodying the test; and 

said sending the test to the first machine including sending the web page to a 
networking application program of the first machine, the networking application program 
operative to receive and display the web page. 
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8. (Original) The method of claim 1 , wherein the test is embodied within a web 
page. 

9. (Cancelled) 

10. (Currently Amended) The method of claim [[1]] , , - > ; ^ -^mv ^ 

v- N - v, wherein the establishing the * j \ communication session between the first and 
second machines includes the monitoring device storing an identifier for the first 
machine in a list identifying machines that have provided the valid response. 

1 1 . (Currently Amended) A method for a monitoring device to facilitate 
communication between a client and a protected server, comprising: 

receiving a first packet from the client to begin a handshake for establishing a 
first network connection between the client and the i 

sending a second packet to the client to acknowledge the first packet; 

receiving a third packet from the client acknowledging the second packet; 

receiving a data access request from a networking application program of the 
client; m4 

sending I : tf e o N a test to the networking application program, 

the test having at least one characteristic making the test resistant to automatic 
answering of the tesJ s 

" " ^ ---ri blishinq a second network 

connect br device; and 
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12. (Currently Amended) The method of claim 1 1 , further comprising: 
receiving a response to the test from the client; 

determining the response comprises a valid answer to the test; and 

facilitating communication between the client and the protected server. 

1 3. (Original) The method of claim 1 1 , wherein the monitoring device does not 
allocate resources for tracking a state information for establishing the first network 
connection and instead encodes the state information within the second packet. 

14. (Original) The method of claim 1 1 , wherein the third packet encodes a known 
alteration of the state information. 

1 5. (Original) The method of claim 1 1 , wherein the data access request is a GET 
request formatted with respect to HyperText Transport Protocol (HTTP). 

16. (Original) The method of claim 1 1 , wherein the networking application program 
includes a web browser, and the test comprises a web page incorporating the test. 

1 7. (Currently Amended) A system, comprising: 

a protected server responsive to network connection requests; 

a client machine seeking to establish communication with the protected server; 

and 

a monitoring device communicatively interposed between the protected server 
and the client machine, wherein the monitoring device is configured ;•• 

,\v ^ ^ o s to send a test resistant to automatic answering 

to the client machine, and N o « to ng 

device to th \ ! to-facilitated establishing w m . ich i ne 
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communication w the protected server if a valid 

response to the test is received by the monitoring device. 



18. (Original) The system of claim 1 7, wherein the monitoring device is further 
configured to perform: 

receiving an initial packet from the client machine for establishing a 
communication session; and 

responding to the initial packet by sending a response packet to the client 
machine encoding a connection state for establishing the communication session. 

1 9. (Currently Amended) An article comprising. 

a machine-accessible ^ a n %n , 

haw^a ssoG i ate d-data stored In the storage medium , wherein the data, when 
accessed, results in a-ma^H^e-an apparatus communicatively coupled with a network 

! *J 1 < rr. umcation between a first machine and a second machine by 
performing: 



determining suspicious network activity on the network; 

receiving afHnttial-packet-a data access request from a-the first machine 



sfs^-ffi^lRe; 

sending a test to the first machine, the test having at least one 
characteristic making the test resistant to automatic answering of the test; 
and 

: : :..:v:r: • :B : ; 8 o>-< <••':• iTvi: affef S-V8iK^€H?-p©SS«-4-S 



for e st a b li sh i ng 



tfflunication 



between the f i rst maelwe-afla- 
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20. (Original) The article of claim 19 wherein the machine-accessible media further 
includes data, when accessed, results in the machine performing: 

responding to the initial packet from the first machine by sending a response 
packet to the first machine encoding a connection state for establishing the 
communication session. 

21 . (Currently Amended) An article 

a machine-accessible medi astorage medium; and 

havtog~ass0S4ated~data stored in the stora ge medium adapted t o r <. a 
monitoring device to facilitate communication between a client and a protected server, 
wherein the data, when accessed, results in a mochinethe monitoring device 
performing: 

receiving a first packet from the client to begin a handshake for 
establishing a first network connection between the client and the 

jftfefme4faf ymQ0jto.n 

sending a second packet to the client to acknowledge the first packet; 

receiving a third packet from the client acknowledging the second packet; 

receiving a data access request from a networking application program of 
the client; m& 

sending a test to the networking application 

program, the test having at least one characteristic making the test 
resistant to automatic answering of the tefek test; 
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' ! .^. j>J ^ ' f ^-ll±^iLJJ^^^VLiil 

22. (Currently Amended) The article of claim 21 wherein the machine-accessible 
media further includes data, when accessed, results in the machine performing: 

receiving a response to the test from the client; 

determining the response comprises a valid answer to the test; and 

e-vtr<t>lisNft§-3-6econd n etwork connect i on between the m onto^- cfevK^^He me 
> seFveFrand 

facilitating communication between the client and the protected server. 

23. (New) The method of claim 1 , wherein the determining the suspicious network 
activity comprises: 

tracking by the monitoring device a number of attempts to establish 
communication sessions with the second machine; and 

if the number of attempts exceeds a predetermined threshold per a 
predetermined time period, modifying a state of the monitoring device from a normal 
mode of operation to a safe mode of operation. 

24. (New) The method of claim 23, further comprising: 

if the number of attempts falls below the predetermined threshold, modifying the 
state of the monitoring device from the safe mode of operation to the normal mode of 
operation; and 

while in the normal mode, facilitating by the monitoring device establishing of 
communication sessions directly between the first machine and the second machine. 
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25. (New) The method of claim 1 , further comprising after a valid response to the 
test is received and the second communication session is established, facilitating by the 
monitoring device establishing of a third communication session directly between the 
first machine and the second machine. 

26. (New) The method of claim 1 , wherein the test is sent to the first machine by the 
monitoring device. 

27. (New) The method of 1 , wherein the data access request is a GET request 
formatted with respect to HyperText Transport Protocol (HTTP). 
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